In this week’s episode, #145 Veracode CTO Chris Wysopal joins us to talk about the early days of the information security industry with L0pht and securing software supply chains. Also: we continue our series on life after the password by speaking to Ian Paterson, the CEO of behavioral authentication vendor Plurilock.
Chris Wysopal (aka Weld Pond) is one of the most recognized and recognizable figures and voices in the information security space. As the co-founder of the seminal Boston hacking collective L0pht Heavy Industries, Wysopal was one of seven members of the L0pht who testified before the U.S. Senate’s Governmental Affairs Committee in 1998.
More than two decades later, as co-founder and Chief Technology Officer at Veracode, he is a successful technology entrepreneur and one of the clearest voices calling for more attention to secure design and coding as a solution for endemic online problems like hacking and data theft.
In this interview, recorded on the floor of the RSA Conference in San Francisco in March, I had the opportunity to talk to Chris about his early days at L0pht and the information security industry, discovering the first stack overflow in Internet Explorer and the modern challenges of securing software supply chains.
The Persistence of Passwords
When the virtualization software firm Citrix said in March that it was the victim of a months long cyber espionage campaign, law enforcement attention focused on a so-called “password spraying” attack as the likely culprit. The low-tech hack simply requires criminals to attempt to remotely access Citrix accounts using known usernames in combination with weak passwords.
Attacks like that are common – just one more proof point that single factor authentication, though vulnerable, remains incredibly common.
In our second segment, we sit down with someone who wants to change that. Ian Patterson is the CEO of the firm Plurilock – which is one of a slew of next-generation behavioral authentication firms to crop up in recent years.
In this conversation, Patterson and I talk about why organizations cling to passwords and what – if anything – will replace them. He says that the writing is already on the wall for traditional passwords, as password managers are fast turning even alphanumeric passwords from something you know and can remember to something you have.